(Times of Israel) Stuxnet, gone rogue, hit Russian nuke plant, space station (fwd)
Hi, I guess this is news? They say it happened few years ago, but I see it being reported right now. Regards, Tomasz Rola -- ** A C programmer asked whether computer had Buddha's nature. ** ** As the answer, master did "rm -rif" on the programmer's home ** ** directory. And then the C programmer became enlightened... ** ** ** ** Tomasz Rola mailto:tomasz_rola@bigfoot.com ** ---------- Forwarded message ---------- Date: Tue, 12 Nov 2013 20:30:11 +0100 (CET) From: Tomasz Rola <rtomek@ceti.pl> To: <info@postbiota.org>, Transhuman Tech <tt@postbiota.org> Cc: Tomasz Rola <rtomek@ceti.pl> Subject: (Times of Israel) Stuxnet, gone rogue, hit Russian nuke plant, space station [ http://www.timesofisrael.com/stuxnet-gone-rogue-hit-russian-nuke-plant-space... ] (... links deleted all the way down ...) * Tuesday, November 12, 2013 * Kislev 9, 5774 * 12:43 am IST * Site updated 2 minutes ago Stuxnet, gone rogue, hit Russian nuke plant, space station A cyber-security expert says several ostensibly secure facilities became victims of the virus that struck Iran's nuclear program By [30]David Shamah November 11, 2013, 4:21 pm [36]Eugene Kaspersky (Photo credit: Courtesy Tel Aviv University) Eugene Kaspersky (Photo credit: Courtesy Tel Aviv University) A Russian nuclear power plant was reportedly "badly infected" by the rogue Stuxnet virus, the same malware that reportedly disrupted Iran's nuclear program several years ago. The virus then spread to the International Space Station via a Stuxnet-infected USB stick transported by Russian cosmonauts. Speaking to journalists in Canberra, Australia, last week, Eugene Kaspersky, head of the anti-virus and cyber protection firm that bears his name, said he had been tipped off about the damage by a friend who works at the Russian plant. Kaspersky did not say when the attacks took place, but implied that they occurred around the same time the Iranian infection was reported. He also did not comment on the impact of the infections on either the nuclear plant or the space station, but did say that the latter facility had been attacked several times. The revelation came during a question-and-answer period after a presentation on cyber-security. The point, Kaspersky told reporters at Australia's National Press Club last week, was that not being connected to the Internet -- the public web cannot be accessed at either the nuclear plant or on the ISS -- is a guarantee that systems will remain safe. The identity of the entity that released Stuxnet into the "wild" is still unknown (although media speculation insists it was developed by Israel and the United States), but those who think they can control a released virus are mistaken, Kaspersky warned. "What goes around comes around," Kaspersky said. "Everything you do will boomerang." The Stuxnet virus came to light in 2010, having attacked Iranian nuclear facilities by hitting the programmable logic control automation systems that control them. The PLC system, manufactured by German conglomerate Siemens, runs the centrifuges used to enrich uranium at Iran's Natanz facility. Variants of Stuxnet have affected the facility's centrifuges in various ways, mostly by changing the activity of valves controlled by the PLC software that feed the uranium to centrifuges at a specific rate required for enrichment, Kaspersky said in several presentations last year. It's not known when Stuxnet began its activities, but researchers at anti-virus company Symantec said that they had gathered evidence that earlier versions of the code were already seen "in the wild" in 2005, although it wasn't yet operational as a virus. Stuxnet, said Symantec, was the first virus known to attack national infrastructure projects, and according to the company, the groups behind Stuxnet were already seeking to compromise Iran's nuclear program in 2007 -- the year Iran's Natanz nuclear facility, where much of the country's uranium enrichment is taking place, went online. Now that the plague has been unleashed, said Kaspersky, no one is immune -- and that includes its originators, who are no longer in control of it. "There are no borders" in cyberspace, and no one should be surprised at any reports of a virus attack, no matter how ostensibly secure the facility, he said. (... links deleted ...) Š 2013 The Times of Israel, All rights reserved. Concept, design & development by [188]RGB Media Powered by [189]Salamandra Quantcast References (... all deleted, ouch ...)
The software was highly specific and messed with the controller of centrifuges. Speeding it up and slowing it down faster than they should, messing with the bearings (or something like that). I didn't know the ISS had that sort of centrifuges there. Regardless, the protip is: don't windows for critical systems.
On Tue, Nov 12, 2013 at 10:57:43PM +0100, Lodewijk andré de la porte wrote:
The software was highly specific and messed with the controller of centrifuges. Speeding it up and slowing it down faster than they should, messing with the bearings (or something like that). I didn't know the ISS had that sort of centrifuges there.
Regardless, the protip is: don't windows for critical systems.
The final payload was specific to the Natanz turbine controllers. The Windows malware delivery mechanism, though, could in theory infect any Windows host it came in contact with (that didn't have the 0days fixed). The intermediate stage attacked the Siemens Step7 software, which runs on Windows and which could potentially be used in space applications (although it seems somewhat unlikely that it would have been used *on* the ISS). The intermediate stage was designed to be inactive unless the specific configuration of hardware found at Natanz was detected, so in theory it should be "safe" even if Step7 were found on an ISS system, but that theory seems risky to depend on. Reading the reports charitably, I would suspect that the Windows malware delivery mechanism might have been transported to the ISS, but would have been inactive there in the absence of a Step7 installation for the intermediate stage to infect. -andy
2013/11/13 Andy Isaacson <adi@hexapodia.org>
Reading the reports charitably, I would suspect that the Windows malware delivery mechanism might have been transported to the ISS, but would have been inactive there in the absence of a Step7 installation for the intermediate stage to infect.
I hadn't thought they'd write it that way. In this way it makes sense. Thank you for your response.
On Tue, 12 Nov 2013, Lodewijk andré de la porte wrote:
Regardless, the protip is: don't windows for critical systems.
Wrong lesson. Windows was used, but was not necessary. The lesson here is to reinforce the airgap with restrictions on who and how software and hardware is connected to critical systems. No critical system should be connected to anything other than it's own closed system unless there is an absolutely unavoidable reason (such as code repair). Where the system must be disturbed, nothing that connects to the protected system should be unexamined prior to connection, and the examination should be meticulously performed, by qualified personnel (and there should always be a lab-duplicate upon which all such events are dry-runned). //Alif -- Those who make peaceful change impossible, make violent revolution inevitable. An American Spring is coming: one way or another.
But what if they use BadBIOS to beam into space on a microwave carrier by modulating the PSU of all infected laptops at once?! "J.A. Terranson" <measl@mfn.org> wrote:
On Tue, 12 Nov 2013, Lodewijk andré de la porte wrote:
Regardless, the protip is: don't windows for critical systems.
Wrong lesson. Windows was used, but was not necessary. The lesson here is to reinforce the airgap with restrictions on who and how software and hardware is connected to critical systems. No critical system should be connected to anything other than it's own closed system unless there is an absolutely unavoidable reason (such as code repair). Where the system must be disturbed, nothing that connects to the protected system should be unexamined prior to connection, and the examination should be meticulously performed, by qualified personnel (and there should always be a lab-duplicate upon which all such events are dry-runned).
//Alif
-- Those who make peaceful change impossible, make violent revolution inevitable.
An American Spring is coming: one way or another.
-- Sent from my Android device with K-9 Mail. Please excuse my brevity.
On Thu, 14 Nov 2013, Cathal Garvey (Phone) wrote:
But what if they use BadBIOS to beam into space on a microwave carrier by modulating the PSU of all infected laptops at once?!
I understand your point, however, we aren't talking about just any old system, we are discussing the most critical parts of electronic infrastructure here. When you've got a computer controlling fission, or power distribution {$your critical infrastructure of choice}, this is simply a Best Practice. Hell, if we can do this for crap like public Internet carriers[1], why is it unreasonable to do this for actual critical systems? //Alif [1] I have worked for or with several internet carriers who enforced this kind of security around their core systems: the smallest was a very small regional carrier, while the largest was a multinational NSP. The only potential losses were dollars - painful but not necessarily fatal, or with any national security interest. If a dipshit regional carrier can do this, a power company failing to do so is simply negligent. And yes, I know that power companies are notoriously casual with their SCADA systems: it makes me crazy to think about it. -- Those who make peaceful change impossible, make violent revolution inevitable. An American Spring is coming: one way or another.
Also, I was kidding. :) On Thu, 14 Nov 2013 06:38:10 -0600 (CST) "J.A. Terranson" <measl@mfn.org> wrote:
On Thu, 14 Nov 2013, Cathal Garvey (Phone) wrote:
But what if they use BadBIOS to beam into space on a microwave carrier by modulating the PSU of all infected laptops at once?!
I understand your point, however, we aren't talking about just any old system, we are discussing the most critical parts of electronic infrastructure here. When you've got a computer controlling fission, or power distribution {$your critical infrastructure of choice}, this is simply a Best Practice. Hell, if we can do this for crap like public Internet carriers[1], why is it unreasonable to do this for actual critical systems?
//Alif
[1] I have worked for or with several internet carriers who enforced this kind of security around their core systems: the smallest was a very small regional carrier, while the largest was a multinational NSP. The only potential losses were dollars - painful but not necessarily fatal, or with any national security interest. If a dipshit regional carrier can do this, a power company failing to do so is simply negligent.
And yes, I know that power companies are notoriously casual with their SCADA systems: it makes me crazy to think about it.
On Thu, 14 Nov 2013, Cathal Garvey wrote:
Also, I was kidding. :)
It's pretty hard to tell the difference between kidding and sarcasm making an argument I have heard more times than I like to believe: still, I'm glad it was the former and not the latter! //Alif -- Those who make peaceful change impossible, make violent revolution inevitable. An American Spring is coming: one way or another.
On Thu, 14 Nov 2013 06:38:10 -0600 (CST) "J.A. Terranson" <measl@mfn.org> wrote:
On Thu, 14 Nov 2013, Cathal Garvey (Phone) wrote:
But what if they use BadBIOS to beam into space on a microwave carrier by modulating the PSU of all infected laptops at once?!
I understand your point, however, we aren't talking about just any old system, we are discussing the most critical parts of electronic infrastructure here. When you've got a computer controlling fission, or power distribution {$your critical infrastructure of choice}, this is simply a Best Practice. Hell, if we can do this for crap like public Internet carriers[1], why is it unreasonable to do this for actual critical systems?
//Alif
participants (6)
-
Andy Isaacson -
Cathal Garvey -
Cathal Garvey (Phone)
-
J.A. Terranson -
Lodewijk andré de la porte -
Tomasz Rola